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(57) Abstract 

A system and method for zoning devices (201-208) in a computer network (200), comprising a zone configuration database listing 
connected devices (201-208). The database includes for each device (201-208) an associated zone mask identifying specific zones (220. 
222) of which each device (201-208) is a member. The database allows access between devices (201-208) that are members of the same 
zone, (220. 222) and denies access between devices (201-208) that are not members of the same zone (220. 222), 
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SYSTEM AND METHOD OF ZONING AND ACCESS CONTROL IN A 

COMPUTER NETWORK 

CROSS-REFERENCE TO RELATED APPLICATIONS 
5 The present application is related to, and claims priority in, co- 

pending U.S. Provisional Patent Application Serial No. 60/124,494, 
entitled "System and Method for Zoning and Access Control, Event 
Management, and Netw^ork Management in a Computer Network," filed on 
March 15, 1999. 

10 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention relates generally to zoning in a computer 
netw^ork, and more particularly to creating zones or virtual groups in a 
15 computer network such as a Storage Area Network (SAN). 

2. Description of the Background Art 

The introduction of fibre channel has allowed greatly increasing 
network connectivity between servers and storage so that many more 
devices can be connected to a network, 

20 Fibre channel is an ANSI-standard, high-speed data 

communications technology providing gigabit-per- second transmission 
rates for storage /server and high-performance networking environments. 

Increases in computer network connectivity generally require 
controlling access between various devices by a method such as zoning, 

25 which is a way of partitioning a large set of objects into virtual groups. In 
a SAN, the partitions are created between the devices connected to the 
SAN. The prior art for zoning computer networks allows zoning only up 
to the port level. 

FIG. 1 shows a general prior art network configuration 100 with a 
30 plurality of devices 101-108 attached to a networking device 110, such as 
a router, bridge, hub, or switch. Port A 1 12 and port B 1 14 are members 

1 
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of zone I 1 16; this indicates that all of the devices 101-104 connected to 
these two ports are members of zone 1116. 

To be added to zone I 1 16, a device needs to be connected through 
port A 1 12 or port B 1 14. For example, to include device 107 in zone I 
5 116, device 107 must be disconnected from port C 1 18 and re-connected 
to port A 1 12 or to port B 1 14. Similarly, to remove a device from zone I 
116, the device one must be disconnected from the port that is a member 
of zone 1116. 

Therefore, there remains a need for an improved system and 
10 method to provide a quick and easy way of zoning of devices across ports 
without physically moving the devices between ports. 
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SUMMARY OF THE INVENTION 

The present invention provides a system and method for computer 
network zoning up to the device level, including any logical devices. 

5 The invention includes a zone configuration database which is 

created and managed by a program running on a device connected to the 
computer network, and is stored in a non-volatile memory on at least one 
network device such as a router, a bridge, a hub, a switch, or a network 
master connected to the computer network. The zone configuration 

10 database lists each device connected to the computer network, allows 
access between devices that are members of the same zone, and denies 
access between devices that are not members of the same zone. The zone 
configuration database includes a zone mask identifying zones of which 
each device is a member. The zone mask includes a read mask and a 

15 write mask. If the read mask for a device is enabled in a particular zone 
then the device is granted read only access within that zone, and if the 
write mask for the device is enabled in the particular zone then the device 
is granted read and write access within that zone. 

Other advantages and features of the present invention will be 

20 apparent from the drawings and detailed description as set forth below. 



3 
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BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a block diagram illustrating prior art wherein zones are 
established at the port level; 

5 

FIG. 2 is a block diagram illustrating how the present invention in 
one embodiment can establish zones at the device level; 

FIG. 3 is a block diagram illustrating how the invention in another 
10 embodiment can establish zones at the device level across multiple 
routers or network devices; 

FIG. 4 is a block diagram illustrating how the invention in yet 
another embodiment can establish zones at the device level across 
15 multiple routers or network devices; 

FIG. 5 is a block diagram of one embodiment of a network device 
according to the invention embodying a processor module for managing 
multiple zones in a computer network; 

20 

FIG. 6 is a diagram of one embodiment of the zone configuration 
database in the processor module of FIG. 5; 

FIG. 7 is a block diagram of one embodiment of the device control 
25 blocks in the processor module of FIG. 5; 

FIG. 8 is a diagram of one embodiment of the zone mask 
parameters used in the device control blocks of FIG. 7; 

30 FIG. 9 is a block diagram of one embodiment of the zone control 

blocks in the processor module of FIG. 5; 



4 
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FIG. 10 is a diagram of one embodiment of the zone mask used in 
the zone control blocks of FIG. 9; and 

FIG. 1 1 is a flowchart of a method for initializing and establishing 
5 zones in a computer network according to the invention. 
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DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT 

The present invention relates to an improved system and method 
for providing zoning in a computer network that spans all the way up to 
5 the device level, including logical devices. 

FIG. 2 is a block diagram of the invention in a network 
configuration 200 such as a storage-area network (SAN), wherein a 
plurality of physical or logical devices 201-208 are connected via a 
network box 210, such as a router, bridge, hub, or switch, having ports 
10 A-D, 212-215. The devices can be zoned at the device level regardless of 
port location, and also can be members of multiple zones. Device zoning 
is controlled through the network box 210 and is preferably configured by 
a program running on a master computer managing the computer 
network 200. 

15 In FIG. 2, device 201 connected to port A 212, devices 202 and 203 

connected to port B 213, and device 207 connected to port C 215 are all 
members of zone I 220, and device 201 is the initiating device controlling 
access in zone I. Device 204, even though it is connected to port B, is not 
a member of zone I 220. Additionally, in the chain of devices connected 

20 to port C 215, the middle device 207 is the only member of zone 1 220, 
even though device 207 connects through device 206. 

FIG. 2 also shows a second zone II 222 which includes devices 204, 
205, 206, 207 and 208, wherein device 205 is the initiating device 
controlling access in zone II. Device 207 is a member of both zone I 220 

25 and zone II 222, and illustrates how a device can be a member of multiple 
zones. 

It should be noted that if an initiating device is connected by a bus 
directly to another device then, regardless of zone membership, the two 
devices can communicate with each other. For example, in FIG. 2 if 
30 device 204 were an initiating device, then it could communicate with 
devices 202 and 203. 
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FIG. 3 is a block diagram of another computer network 
configuration 300 illustrating how device level zones can be established 
across multiple network boxes 310 and 312. Devices 301-307 are all 
connected to both network boxes 310 and 312. Device 301 is connected 
5 to both A ports 314 and 322; devices 302-304 are connected to both B 
ports 316 and 324; device 305 is connected to both D ports 320 and 328; 
and devices 306 and 307 are connected to both C ports 318 and 326. 
The network boxes 310 and 312 control the zoning of these devices. The 
FIG. 3 type of configuration allows using multiple boxes with redundant 
10 paths to access devices within a zone. 

The zone configuration information is stored in both network boxes 
310 and 312. After one of the network boxes has been programmed with 
a zoning configuration, and /or after an initialization phase has been 
conducted by either network box, the other network box, based on 
15 already- known information as to the location of the other network box, is 
automatically updated. 

FIG. 3 devices 301, 303 and 307 are members of zone I 320. Thus 
whichever network box handles a request, device 301 can access only 
devices 303 and 307. This feature allows users more control over access 
20 to their networked devices and allows network administrators the 

flexibility to configure networks without physically moving devices or 
changing ports. 

The FIG. 4 diagram illustrates how a more sophisticated network 
400 can establish zones at the device level, or more generally, between 

25 multiple network routers or boxes 420 and 422 which are configured to 
control zoning. A LAN /WAN 410 is connected through router 420 to a 
SAN 430, which in turn is connected to devices 441-443. The LAN/ WAN 
410 is also connected through router 422 to a SAN 432, which in turn is 
connected to devices 444-446. Zone 1 450 is configured to include only 

30 devices 443 and 444, even though they are only connected through both 
SANs 430, 432, both routers 420, 422 and LAN/ WAN 410. 

7 
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FIG. 5 is a block diagram illustrating one embodiment of a network 
device or router 500 embodying a processor module 510 for managing 
multiple zones in a computer network. The router 500 has fibre channel 
input/output ports 512 and 513, as well as generic input/output ports 
5 514, 515, 516 that can handle multiple networking protocols such as 
Gigabit-Ethernet (GE), ATM (Asynchronous Transfer Mode), and SCSI 
(Small Computer System Interface). The input/ output ports 512-516 are 
interconnected with the processor module 510 and a cache/ staging 
module 518. 

10 The processor module 510 includes a processor 522, a RAM 524, a 

non-volatile memory 526, and a ROM 528. After initialization, the RAM 
524 includes a set of device control blocks 530 and zone control blocks 
532. More details of the device control blocks 530 and zone control 
blocks 532 are shown in, and described in conjunction with, FIGs. 7-10. 

15 The non-volatile memory 526 includes a zone configuration database 534 
that stores all the information necessary to create and manage zones on a 
computer network (not shown) connected through the router 500. 

FIG. 6 is a block diagram of one embodiment of the zone 
configuration database 534 in the processor module 510 of FIG. 5. The 

20 zone configuration database 534 preferably includes a structure header 
610, zone information 620, fibre channel (FC) device information 630, 
and SCSI/other device information 640. 

The structure header 610 includes standard information identifying 
the zone configuration database 534, including signature, checksum, 

25 version number and size. 

The zone information 620 identifies each zone configured on the 
computer network from Zone ID 0 to Zone ID n; this identification can 
include an alias name for each zone, a zone ID, a zone mask number, and 
flags. 

30 The FC device information 630 includes general and zone 

information on each connected FC device. The preferred embodiment has 
information for two ports, port 0 and port 1 . The information for each 
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port generally includes a port header with identifying information such as 
the port number, a checksum, flags, and a device count. The port 
information also includes a listing of each device connected through that 
port. An FC port can support up to 126 devices, indicated by device 0 to 

5 device 125. Since zones can be on the level of devices, the information 
includes the configuration of each connected FC device; in terms of for 
example a WWN, flags, a read/ write mask, and a read-only mask. The 
read/ write mask and the read-only mask define the zones in which each 
device has read/ write access, read only access, or no access. 

10 The SCSI/other device information 640 includes general and zone 

information on each of the other devices, such as SCSI, ATM, or Gigabit 
Ethernet devices, connected to the (FIG. 5) router 500. The preferred 
embodiment has four ports or buses, indicated by bus 0 - bus 3. The 
information for each bus generally includes a bus header, bus number, 

15 checksum, flags, device count, and a listing of the devices connected 

through the bus. The information for each bus can also include a listing 
of each logical device associated, through a logical unit number (LUN), 
with each device. A SCSI bus can support up to 16 devices, indicated by 
device 0 to device 15, through each port. Each device can use logical unit 

20 numbers (LUN's) to identify up to 8 logical devices. Since zones can be 
specific to each physical and logical device as with the FC device 
information 630, SCSI/other device information 640 includes the 
configuration of each device connected through its corresponding bus; a 
unique ID, flags, a read/write mask, and a read-only mask. The 

25 read/ write mask and the read-only mask define the zones in which each 
physical and logical device has read/write access, read-only access, or no 
access. 

During initialization of the router 500, or if a user requests a 
rescan, router 500 scans all enabled ports for connected devices and 
30 creates a device control block 530 and a zone control block 532, for 

creating and managing zones, including: port number, port type, port ID, 
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device ID (SCSI ID or Fibre Channel WWN), device type, and any other 
information gathered by an inquiry command or other means. 

Every time a zone is created, the zone configuration database 534 
information is updated in the non-volatile memory 526 (FIG. 5). This 

5 information includes the zone ID, zone mask information, and zone 
name. The network boot-up routine reads the zone configuration 
database 534 from the non-volatile memory 526 into the main memory 
524 to set the zone mask in the device control blocks 530 and to create 
zone control blocks 532. 

10 FIG. 7 is a block diagram of an embodiment of the device control 

blocks 530 in processor module 510, which are created from information 
received from the devices and the zone configuration database 534. Each 
device control block 530 corresponds to a respective physical or logical 
device connected to the router 500. The device control blocks 530 

15 include general information required for programming purposes, such as 
a structure header, ID, type, state, read capacity data, inquiry data, 
disconnect parameters, and statistical data, and also include zone mask 
parameters 700 for each connected device. 

As shown in greater detail in FIG. 8, the zone mask parameters 700 

20 for each physical or logical device define the zone or zones of which the 
device is a member, and what type of access each physical or logical 
device is granted. The zone mask 700 preferably includes masks for up 
to 32 different zones 802 labeled from 0 to 3 1 . The zone mask 700 
parameters include two vectors of binary numbers specifying whether the 

25 device has read only access 804, read/ write access 806, or no access. 
Each vector is a 32 bit unsigned integer, although other length vectors 
may be used instead. Each bit of the vector corresponds to a particular 
zone. If bit 0 of the vector is set to 1, then the device is a member of Zone 
ID 0, and so on. Thus, a 32 bit mask can support 32 zones, any number 

30 of which a device can be a member of. For example, if the device has 
read-only access only in zones 0 and 4, then Is are written into the 0^ 
and 4^ positions of the read-only vector 804, and Os are written into all 

10 
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remaining positions. If the device has read/write access only in zones 1 
and 3, then Is are written into the 1^* and 3^^ positions of the read/ write 
vector 806, and Os are written into all remaining positions of the vector. 
The read-only mask 804 is only used on devices that are of a read- 
5 write type, i.e. disk drive. This mask 804 allows system administrators to 
dynamically control read/ write access of a device. Mask 804 is also 
useful if a device is member of multiple zones and allows only some zones 
to have full (read/ write) access while the rest of the zones have only read 
access. 

10 FIG. 9 is a block diagram of an embodiment of the processor 

module 510 zone control blocks 532, which are created from information 
stored in zone configuration database 534 and in device control blocks 
530. Each zone control block 532 names all of the physical or logical 
devices that are members of a respective zone. The zone . control blocks 

15 532 each include general information required for programming 

purposes, such as a structure header, alias name, ID, flags, state, FC 
device count, SCSI device count, pointers to FC device control blocks, 
pointers to SCSI device control blocks, and a zone mask 900 identifying 
the particular zone managed by the zone control block. 

20 As shown in greater detail in FIG. 10, the zone mask 900 defines 

the members in the zone. Zone mask 900 preferably covers up to 32 
zones 1002 labeled from 0 to 31. The zone mask 900 includes a 32 bit 
unsigned integer (although other length numbers could be used) 
specifying which zone is managed by the zone block 532. Each bit of the 

25 array corresponds to a zone, but since each zone control block 532 

manages only one zone, only one bit of the number is set to 1 while the 
remaining bits are set to 0. For whichever zone has its bit set to 1 in zone 
mask 900, the zone control block 532 stores the necessary information, 
such as pointers, to access all of the devices or logical devices identified 

30 in the zone control block 532 as members of that zone. 

During operation, when a zone-managing router or network box 
receives an I/O request, the read-only 804 and read/ write 806 zone mask 
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700 of the initiating device are logically ORed and the sum is logically 
ANDed with the read-only 804 zone mask 700 of the target node. If the 
product is non-zero, then both nodes belong to at least one zone in 
common, and if the I/O request is a read request then access is allowed, 
5 otherwise the request is rejected. If the product is zero, then the read- 
only 804 and read/write 806 zone mask 700 of the initiating device are 
logically ORed and the sum is ANDed with the read /write 806 zone mask 
700 of the target node. If the product is non-zero, then both nodes 
belong to at least one zone in common and access is allowed, otherwise 

10 the request is rejected. 

FIG, 1 1 is a flowchart of steps in a method for initializing £ind 
establishing zones in a computer network. Prior to initialization, step 
1 100 "discovers" all devices connected to the network and builds device 
control blocks (DCBs). At step 1 102 the network box or router 500 (FIG. 

15 5) starts zoning initialization. At step 1 104, the processor reads in the 
zone configuration database (ZCDB) from the non-volatile RAM into the 
RAM and verifies checksums. Step 1106 then begins the process of 
building zone control blocks (ZCBs). First, step 1 108 locates a valid zone 
in the zone configuration database. If step 1110 determines that a valid 

20 zone exists, then step 1112 allocates a zone control block and includes 
necessary information from the zone configuration database in the zone 
control block. Then the process reverts to step 1 108 to build more zone 
control blocks. If step 1110 determines that no valid zone exists, then 
step 1114 determines whether all the zones were checked. If not all of 

25 the zones were checked, then the process reverts to step 1 108 to continue 
checking all of the zones. If step 1114 determines that all of the zones 
were checked, then the process continues to step 1116 where each device 
control block is analyzed. 

Step 1118 begins analyzing a device control block by retrieving the 

30 device ID from the (next) device control block. Then, step 1 120 attempts 
to locate the device in the zone configuration database. If step 1 122 does 
not find the device in the zone configuration database, then step 1 124 

12 
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sets the device to the default zone mask (preferably bit 31) in the device 
control block, adds information on the new device to the zone 
configuration database and the method proceeds to step 1138. If in step 
1 122 the device is found in the zone configuration database, then step 

5 1 126 fills the zone mask's (the read mask and the write mask) 

information from the zone configuration database into the corresponding 
zone information fields in the device control block. In order to fill in a list 
of members in the zone control block, at step 1 128 the zone control block 
zone mask is compared with the device control block's zone mask (logical 

10 OR comparison of the read mask with the write mask). At step 1 130 if 
the zone mask of the zone control block is present in the zone masks of 
the device control block, then step 1 132 adds a pointer of the device 
control block to the member list of the zone control block. Whether or 
not the masks match in step 1130, next, step 1134 determines whether 

15 all of the zone masks of the zone control blocks have been compared with 
the zone mask of the device control block; and if not, then step 1136 
selects the next zone control block and returns the process to step 1 130, 
which compares the next zone mask until the zone masks of all the zone 
control blocks have been compared with the zone mask of the current 

20 device control block. 

Once all the zone control blocks have been done in step 1 134, next, 
step 1 138 determines whether all of the device control blocks have been 
analyzed; if not, then the process return to step 1 1 18 for the next device 
control block. After step 1 138 determines that all of the device control 

25 blocks have been analyzed, then at step 1 140 the zoning initialization is 
completed. 

The zoning features of this invention can span multiple boxes. 
Zones are preferably configured using a GUI application which runs on a 
host PC. After every zone configuration change, the zone information is 
30 sent to all the necessary routers or boxes in the same redundancy group. 
This feature allows users to configure networks using multiple routers 
with redundant paths to access their devices. 

13 
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A Special protocol can be implemented in the routers to allow the 
routers to communicate and exchange zone information with each other. 
At configuration time, each router is made aware of the other routers (in a 
redundancy group) that are connected to the same (some or all) devices in 
5 the network. Whenever there is a change in the zone database, the 
information will be sent to all other routers in the same redundancy 
group. 

The software used to manage the zoning of the network preferably 
provides for various types of commands that allow a network 
10 administrator to create and manage the zones on the computer network. 
Such commands preferably include: create zone, add member to a zone, 
remove member from a zone, and delete zone. 

Create zone is used for creating a zone in the computer network. 
The parameters for this command include a list of members or devices to 
15 be included in the zone. The new zone would then occupy an unused 

zone ID and set zone information in the zone configuration database. The 
corresponding zone mask is then set in the device database. 

Add member to a zone is used for adding member(s) to an already 
existing zone. The parameters for this command include zone ID and a 
20 list of new members or devices to be added. 

Remove member from a zone is used for removing member(s) from 
an already existing zone. The parameters include zone ID and a list of 
members that are to be removed. 

Delete zone is used for deleting an already existing zone. The 
25 parameters for this command are the zone ID of the zone to be deleted. 
The invention has been explained above with reference to a 
preferred embodiment. Other embodiments will be apparent to those 
skilled in the art in light of this disclosure. For example, the invention 
may be implemented in other configurations and /or used with other 
30 systems. Therefore, these and other variations upon the preferred 
embodiments are intended to be covered by the appended claims. 
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What is claimed is: 

1 . A method of zoning devices in a computer network, comprising the 
steps of: 

providing a zone configuration database identifying zones of which 
each device is a member; and 
5 allowing zone access between devices if and only if they are 

members of the same zone. 

2. The method of claim 1 wherein said zone configuration database 
includes a zone mask identifying the zones of which each said 

10 device is a member. 

3. The method of claim 2 wherein said zone mask comprises: 

a read mask which, if enabled for a specific device in a particular 
zone, grants read-only access for said specific device within said 
15 particular zone; and 

a write mask which, if enabled for said specific device in said 
particular zone grants read and write access for said specific device 
within said particular zone. 

20 4. The method of claim 1, further including the step of storing said 
zone configuration database in a memory in at least one network 
device connected to the computer network, 

5. The method of claim 4, wherein said network device is selected 
25 from the group consisting of: a router, a bridge, a hub, a switch, 

and a network master. 

6. The method of claim 4 wherein said memory is non-volatile. 
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7. The method of claim 1, further including the step of using a 

software program running on a device connected to the computer 
network to create and manage said zone configuration database. 

5 8. The method of claim 1, wherein said zone configuration database 

includes a zone mask associated with each logical unit number in a 
device. 

9 . The method of claim 1 wherein zone access is controlled by selected 
10 network devices through redundant paths in a redundancy group. 

10. The method of claim 1 further including the step of, during an 
initialization phase, storing, in a memory, unique device ID 
information for each device. 

15 

11. A system for zoning devices in a computer network, comprising a 
zone configuration database which lists each device connected to 
the computer network, and which allows zone access between 

20 devices if and only if they are members of the same zone. 

12. The system of claim 11, wherein said zone configuration database 
includes a zone mask identiiying zones of which each device is a 
member. 

25 

13. The system of claim 12 wherein said zone mask comprises: 

a read mask which, if enabled for a specific device in a particular 
zone, grants read-only access for said specific device within said 
particular zone; and 
30 a write mask which, if enabled for said specific device in said 

particular zone grants read and write access for said specific device 
within said particular zone. 
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14. The system of claim 11 wherein said zone configuration database is 
stored in a memory in at least one network device connected to the 
computer network. 

5 

15. The system of claim 14, wherein said network device is selected 
from the group consisting of: a router, a bridge, a hub, a switch, 
and a network master. 

10 16. The system of claim 14 wherein said memory is non-volatile. 

17. The system of claim 11, wherein said zone configuration database 
is created and managed by a software program running on a device 
connected to the computer network. 

15 

18. The system of claim 11, wherein said zone configuration database 
includes a zone mask associated with each logical unit number in a 
device. 

20 19. The system of claim 1 1 wherein zone access is controlled by 

selected network devices through redundant paths in a redundancy 
group. 

20. A system for zoning devices connected to a computer network, 
25 comprising: 

zoning means which identify zones of which each device is a 
member, and which allows zone access between devices if and only 
if they are members of the same zone. 

30 21. The system of claim 20, wherein said zoning means includes 

masking means identifying at least one zone of which each device is 
a member. 

17 



4SDOCID: <WO_0065750A t_l_> 



.wo 00/55750 



PCT/USOO/06920 



22. The system of claim 21, wherein said masking means comprises: 
a read mask which, if enabled for a specific device in a particular 
zone, grants read-only access for said specific device within said 
5 particular zone; and 

a write mask which, if enabled for said specific device in said 
particular zone grants read and write access for said specific device 
within said particular zone. 

10 23. The system of claim 20 wherein said zoning means is stored in a 
memory in at least one network device connected to the computer 
network. 

24. The system of claim 23, wherein said network device is selected 
15 from the group consisting of: a router, a bridge, a hub, a sv\dtch, 

and a network master. 

25. The system of claim 23 wherein said memory is non-volatile. 

20 26. The system of claim 20 wherein said zoning means is created and 
managed by a software program running on a device connected to 
the computer network. 

27. The system of claim 20, wherein said zoning means includes 
25 masking means associated with each logical unit number in a 

device. 

28. The system of claim 20 wherein zone access is controlled by 
selected network devices through redundant paths in a redundancy 

30 group. 
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